From 36e694b06113dbbe21d871afa99d2a8032043f4e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 15 2021 17:55:05 +0000 Subject: import rh-nodejs10-nodejs-10.23.1-2.el7 --- diff --git a/.gitignore b/.gitignore index ed57106..a6f9ceb 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/node-v10.21.0-stripped.tar.gz +SOURCES/node-v10.23.1-stripped.tar.gz diff --git a/.rh-nodejs10-nodejs.metadata b/.rh-nodejs10-nodejs.metadata index fa33784..f124458 100644 --- a/.rh-nodejs10-nodejs.metadata +++ b/.rh-nodejs10-nodejs.metadata @@ -1 +1 @@ -9d70f82d5824c638818905f2e0e645e828e516c0 SOURCES/node-v10.21.0-stripped.tar.gz +658cfc032ba3e2a252a5f9c910eab516bb0aa16e SOURCES/node-v10.23.1-stripped.tar.gz diff --git a/SOURCES/deps-ini-do-not-allow-invalid-hazardous-string-as-section-nam.patch b/SOURCES/deps-ini-do-not-allow-invalid-hazardous-string-as-section-nam.patch new file mode 100644 index 0000000..d4b55f2 --- /dev/null +++ b/SOURCES/deps-ini-do-not-allow-invalid-hazardous-string-as-section-nam.patch @@ -0,0 +1,99 @@ +From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001 +From: isaacs +Date: Tue, 8 Dec 2020 14:21:50 -0800 +Subject: [PATCH] do not allow invalid hazardous string as section name + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/ini/ini.js | 8 +++++ + deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + create mode 100644 deps/npm/node_modules/ini/test/proto.js + +diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js +index 590195d..0401258 100644 +--- a/deps/npm/node_modules/ini/ini.js ++++ b/deps/npm/node_modules/ini/ini.js +@@ -80,6 +80,12 @@ function decode (str) { + if (!match) return + if (match[1] !== undefined) { + section = unsafe(match[1]) ++ if (section === '__proto__') { ++ // not allowed ++ // keep parsing the section, but don't attach it. ++ p = {} ++ return ++ } + p = out[section] = out[section] || {} + return + } +@@ -94,6 +100,7 @@ function decode (str) { + // Convert keys with '[]' suffix to an array + if (key.length > 2 && key.slice(-2) === '[]') { + key = key.substring(0, key.length - 2) ++ if (key === '__proto__') return + if (!p[key]) { + p[key] = [] + } else if (!Array.isArray(p[key])) { +@@ -125,6 +132,7 @@ function decode (str) { + var l = parts.pop() + var nl = l.replace(/\\\./g, '.') + parts.forEach(function (part, _, __) { ++ if (part === '__proto__') return + if (!p[part] || typeof p[part] !== 'object') p[part] = {} + p = p[part] + }) +diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js +new file mode 100644 +index 0000000..ab35533 +--- /dev/null ++++ b/deps/npm/node_modules/ini/test/proto.js +@@ -0,0 +1,45 @@ ++var ini = require('../') ++var t = require('tap') ++ ++var data = ` ++__proto__ = quux ++foo = baz ++[__proto__] ++foo = bar ++[other] ++foo = asdf ++[kid.__proto__.foo] ++foo = kid ++[arrproto] ++hello = snyk ++__proto__[] = you did a good job ++__proto__[] = so you deserve arrays ++thanks = true ++` ++var res = ini.parse(data) ++t.deepEqual(res, { ++ foo: 'baz', ++ other: { ++ foo: 'asdf', ++ }, ++ kid: { ++ foo: { ++ foo: 'kid', ++ }, ++ }, ++ arrproto: { ++ hello: 'snyk', ++ thanks: true, ++ }, ++}) ++t.equal(res.__proto__, Object.prototype) ++t.equal(res.kid.__proto__, Object.prototype) ++t.equal(res.kid.foo.__proto__, Object.prototype) ++t.equal(res.arrproto.__proto__, Object.prototype) ++t.equal(Object.prototype.foo, undefined) ++t.equal(Object.prototype[0], undefined) ++t.equal(Object.prototype['0'], undefined) ++t.equal(Object.prototype[1], undefined) ++t.equal(Object.prototype['1'], undefined) ++t.equal(Array.prototype[0], undefined) ++t.equal(Array.prototype[1], undefined) +-- +2.29.2 + diff --git a/SOURCES/deps-y18n-CVE-2020-7774.patch b/SOURCES/deps-y18n-CVE-2020-7774.patch new file mode 100644 index 0000000..88a9d75 --- /dev/null +++ b/SOURCES/deps-y18n-CVE-2020-7774.patch @@ -0,0 +1,13 @@ +diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js +index d720681628..727362aac0 100644 +--- a/deps/npm/node_modules/y18n/index.js ++++ b/deps/npm/node_modules/y18n/index.js +@@ -11,7 +11,7 @@ function Y18N (opts) { + this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true + + // internal stuff. +- this.cache = {} ++ this.cache = Object.create(null) + this.writeQueue = [] + } + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index e5dba60..3b6f68c 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -15,7 +15,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 3 +%global baserelease 2 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{pkg_name}-%{version}} @@ -25,8 +25,8 @@ # feature releases that are only supported for nine months, which is shorter # than a Fedora release lifecycle. %global nodejs_major 10 -%global nodejs_minor 21 -%global nodejs_patch 0 +%global nodejs_minor 23 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 64 @@ -56,7 +56,7 @@ # http-parser - from deps/http_parser/http_parser.h %global http_parser_major 2 %global http_parser_minor 9 -%global http_parser_patch 3 +%global http_parser_patch 4 %global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch} # libuv - from deps/uv/include/uv/version.h @@ -82,7 +82,7 @@ # npm - from deps/npm/package.json %global npm_major 6 %global npm_minor 14 -%global npm_patch 4 +%global npm_patch 10 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # zlib version - from deps/zlib/CMakeLists.txt @@ -92,7 +92,7 @@ %global zlib_patch 11 %global zlib_version %{zlib_major}.%{zlib_minor}.%{zlib_patch} -# brotli - from deps/brotli/common/version.h +# brotli - from deps/brotli/c/common/version.h # v10.x doesn't have --shared-brotli configure option, so we have to bundle it %global brotli_major 1 %global brotli_minor 0 @@ -129,9 +129,12 @@ Source100: %{pkg_name}-tarball.sh # nodejs-packaging SRPM. Source7: nodejs_native.attr -# This is patch just for v10.16.3, we need to rebase it to later version Patch1: 0001-Remove-or-backport-OpenSSL-features.patch +# CVE-2020-7788 +Patch2: deps-ini-do-not-allow-invalid-hazardous-string-as-section-nam.patch +Patch3: deps-y18n-CVE-2020-7774.patch + %{?scl:Requires: %{scl}-runtime} %{?scl:BuildRequires: %{scl}-runtime} BuildRequires: python-devel @@ -491,6 +494,14 @@ python2 tools/test.py "${RUN_SUITES[@]}" || : %changelog +* Tue Jan 26 2021 Jan Staněk - 10.23.1-2 +- Patch bundled y18n for CVE-2020-7774 +- Resolves: CVE-2020-7774 + +* Mon Jan 11 2021 Jan Staněk - 10.23.1-1 +- Rebase to v10.23.1 +- Resolves: CVE-2020-8265 CVE-2020-8287 + * Thu Jul 16 2020 zsvetlik@redhat.com - 10.21.0-3 - Resolves: RHBZ#1845315 - Remove brotli-devel dependency